Opinion: Zotob - An Avoidable Worm And The Negligence Factor
Computer industry analyst Rob Enderle says the Zotob incident proves that companies have gotten lax with security upgrades and could be heading toward negligence when it comes to network security.
For much of this week we've been tracking the proliferation of the Win32.Peabot—a worm that also goes by the name of Zotob. This attack, like many others, came after the disclosure of an exposure in current versions of Windows that continues to suggest a cause and effect pattern of 'patch-release virus attack.'
This worm has hit a number of high profile sites but, so far, only unpatched Windows 2000 systems have been reported as damaged. This is because the extra work needed to attack an unpatched Windows XP system has delayed, if not prevented, a variant that will attack Windows XP based systems. This suggests, that at the very least, systems with this newer version have a longer grace period before they can be attacked.
Currently the working theory is that the organizations under attack have not protected themselves against laptop computers that, in attacks like this, perform the role of carriers and physically bypass the perimeter security in place in the company to infect other, normally well protected, computers. As with most worms of this type a properly configured firewall will stop the current generation of virus variants cold if the firewall is allowed to perform its function.
What is somewhat scary about this virus incident is that it appears to be a large and growing number of variants each more damaging then the last, making it almost look like there is some type of perverted competition between virus writers to see who can do the most damage. It is important to remember that companies with adequate security surrounding laptop use, and those that follow recommended practices with perimeter protection have likely not been impacted.
The Patching Strategy
This isn’t to say you can avoid patching, particularly for small businesses there is a critical requirement that security patches be applied promptly. We are now down to hours between when a patch is created and someone reverse engineers it to create a virus that exploits the identified exposure. Virus checking products are simply not fast enough as they typically take up to 24 hours to identify a virus, create a response to it, and then distribute that response.
If you are already patched when the virus hits you are generally immunized from the related virus and most if not all of the variants while must virus products still have to be updated for each variant. This is particularly true now that many are specifically written to by pass popular virus checking offerings.
Securing Firewalls And Remote Sites
Firewall ports should be closed by default and only those that need to be open should be open. This latest virus targeted port 445 that is used for file and printer sharing and should never be open on a firewall (this activity, if allowed, should only occur within a company between PCs that never venture out of the perimeter protection currently in place).
What we often forget is that remote offices and employees working from home often drill through firewalls with trusted links like virtual private networks (VPNs). While I personally think VPNs are a really bad idea sometimes, they can’t be avoided and that means this remote site has to be as secure as possible. In effect, if such a link exists, the remote site should be regularly audited to insure it is adequately protected. In most cases this can be done remotely but it still needs to be done regularly.
One product that could help with small offices and home offices is the Eli Managed Broadband Security Appliance . It is a remotely managed firewall, router, and access point with heavy content filtering. It is one of the few affordable products I’ve seen that comes close to affordable and adequate perimeter protection to homes and small offices.
On the physical security front, a common practice in security audits is to go to a remote executive’s site and then penetrate the company’s security from that inadequately protected site. Just because you don’t read about companies being compromised in this way does not mean the events aren’t happening.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.